I need a suggestion about having AD DS or AD LDS for my infrastructure.

I have a website which as of now do not have any log in facility for the visitors, now we are developing a new application so that the visitors can create account on the website. the best example you can think of is of any telecom service provider, they have their webiste and now is creating a login facility for it's customers so the users can create an account and can subscribe for ebill sort of facilities.

Hope the situation is clear now. For this particular application, I intend to have a web server, an application server, a DB server, one SMTP server and one AD server(for authentication of users and for saving the profiles also).

My question here starts on AD front, here do i need AD DS or AD LDS here, what i need from AD is

2 Answers
2

As Rajeev has pointed out in comments, Active Directory IS an LDAP server and more, and the AD LDS service is a "free" Windows Server role that is provided to do specifically what he is looking for. AD provides many extras (replication, Kerberos, federation, etc.) that you would have to build on your own with a Free/OSS solution like OpenLDAP+postgres+kerberos. There are other (primarily commercial) directory services which have similar abilities.

Licensing should probably not be an issue. You are probably going to have AD installed if your deployment is going to be primarily Windows-based (for the computer accounts, admin accounts, etc.), and this will be relatively small (looks like a 5-user CAL at most). Any "user" objects that you create in LDS for your public users will not be counted against the licenses for your AD DS accounts. You can contact Microsoft Licensing to verify this.

Using AD LDS definitely has some great benefits, your proposed installation may be too small to realize some of them though.

Replication is probably the #1 "freebie" you get with LDS. Your AD DS Sites and Subnets topology can be used to manage replication automatically, just like for AD DS. But with only one LDS server, you won't need replication.

Most of the newer tools for backup, maintenance, reporting, etc. will all work as well with LDS as they do with DS. So, if you already have some off-the-shelf tools in-house, you can probably just use them for your LDS. Again, your setup sounds too small for this to be a big benefit.

If you are ALREADY familiar with the care and maintenance of AD DS, using LDS will be generally familiar and will build on a knowledge-set you already have. This can mean significant improvements in supportability and manageability, any scripting knowledge you have will be generally transferrable, etc. This is a bonus.

And again, LDS is "free" with Windows, if you've installed a 2003/2008 server then LDS is included. This is also a bonus.

With Windows Server 2008 R2 you get all the cool features from the AD DS code-base (snapshots, etc.)

All that said... If you don't have any particular experience with AD, and don't have any particular infrastructure already in place to handle it, you may not see much benefit by going this route. Based on the size of your described deployment, you could almost certainly go with an OSS setup like LAMP + OpenLDAP, depending on your comfort-zone and what you are application requirements are.

Keep in mind that if you are doing any kind of user management, then you are going to very, VERY sorry if your approach is just "stick a bunch of user names and passwords in a SQL table." User management is a complex process that has already been solved countless times before. Handling passwords is something you just should not be doing unless you already have lots of experience in security related programming. Please don't roll your own!

Find a suitable commercial or OSS framework that has been designed already to handle AAA* correctly, something like OpenID is probably not a terrible idea. Jeff Atwood's blog(he runs a website, you may have heard of it...) has a number of posts discussing these issues around his work on StackOverflow and ServerFault.

Thanks very much Ryan for the clarification, so in my opinion, now i am thinking of having AD LDS for the above mentioned reuirement. One thing that is not clear to me is the license part, as my user would be coming to web server and web server will direct the request to AD LDS for authentication; where exactly so i need license here; the external user license is reuired at webserver or at AD LDS or is not at all required?
–
RajeevApr 5 '10 at 4:09

suppose my external userdatabase is going to increase come time, and i intentionally do not want to put the users in DB server, then what is the solution for above proposed scnerio
–
RajeevApr 1 '10 at 6:24

putting it on db server. Seriously - what you say is like "I want to drive in formulaa one, but not use a formula one approoved car - what can I do?". AD has licensing issues. you do not put external users into it. AD is for AD users - users which need a windows identity to work with the windows operating system. Web-Apps normally have their own user repository. WHat you can do is ALSO allow windows identity to map to an internal user - this is waht I do.
–
TomTomApr 1 '10 at 6:43

Basically: an app of mine has it's own database basd membership management, but one property is "WIndowsIdentity" - domain, user name. If the user comes in authenticated, this is automatically mapped.
–
TomTomApr 1 '10 at 6:44

You do not want to use AD at all. If you must use something like that, try LDAP. AD is really only for Windows (cough) Domain administration and authentication. If you do not need to control Windows machine logins, then forget AD. Even if you need to control that, you could use Samba. But that's not your question, is it?
–
d-_-bApr 1 '10 at 6:53

1

@TomTom: really appreciate your response; For clarification, all users would be only external users which will come via visiting website. does AD has licensing issues? which one? @Sims: AD LDS is a LDAP only, can i use LDAP over AD DS here? can AD LDS work totally independent of AD DS? one more question coming here, if I need to manage the windows server authentication then what we need to do?
–
RajeevApr 1 '10 at 7:17